OpenWRT IPv6: NAT64 dan DNS64 menggunakan BIND

From OnnoWiki
Revision as of 10:33, 15 July 2015 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

Sumber:

tayga semoga sudah di install atau di compile bersama firmware.

Konfigurasi NAT64 interface:

# /etc/config/network
config 'interface' 'nat64'
        option 'proto' 'tayga'
        option ipv4_addr 192.0.2.1
        option ipv6_addr 2001:470:1f09:xxxx::7f00:1
        option prefix 64:ff9b::/96
        option dynamic_pool 192.0.2.0/24
        option accept_ra 0
        option send_rs 0
config interface nat64
        option proto tayga
        option ipv4_addr 192.0.2.1
        option ipv6_addr 2001:db8:1::7f00:1
        option prefix 64:ff9b::/96
        option dynamic_pool 192.0.2.0/24
        option accept_ra 0
        option send_rs 0

dimana:

  • 2001:470:1f09:xxxx::/64 adalah IPv6 prefix di LAN
  • 192.0.2.0/24 adalah tayga prefix untuk 4-to-6 mappings
  • 64:ff9b::/96 prefix untuk IPv6-mapped IPv4 addresses.

Tambahkan nat64 ke lan firewall zone karena kita perlu secara explisit NAT44 packet untuk 4-to-6 inbound connections:

# /etc/config/firewall
config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'ACCEPT'
        option 'network' 'lan nat64'


Coba (ifup nat64 interface dan jalankan firewall rules):

# ping6 -c3 64:ff9b::194.87.0.50
PING 64:ff9b::194.87.0.50(64:ff9b::c257:32) 56 data bytes
64 bytes from 64:ff9b::c257:32: icmp_seq=1 ttl=56 time=3.42 ms
64 bytes from 64:ff9b::c257:32: icmp_seq=2 ttl=56 time=3.35 ms
64 bytes from 64:ff9b::c257:32: icmp_seq=3 ttl=56 time=4.04 ms   

--- 64:ff9b::194.87.0.50 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2040ms
rtt min/avg/max/mdev = 3.354/3.610/4.049/0.319 ms


Kita perlu sebuah source untuk AAAA record untuk hosts yang hanya mempunyai A. Ini disebut DNS64 dan di dukung oleh bind 9.8.0 ke atas.

Modifikasi default named.conf:

# /etc/bind/named.conf
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
options {
        directory "/tmp"; 
        auth-nxdomain no;    # conform to RFC1035 
        allow-query { localnets; localhost; };
        listen-on { any; };
        listen-on-v6 { any; };

        dns64 64:ff9b::/96 {
                clients { any; };
                mapped { !rfc1918; any; };
                exclude { 64:ff9b::/96; ::ffff:0000:0000/96; };
                suffix ::;
        };

        edns-udp-size 512;
        max-udp-size 512;
};


// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


Semua host di LAN menggunakan bind sebagai nameserver (announced via radvd dan di proses oleh dnssd). Coba:

$ host www.ru
www.ru has address 194.87.0.50
www.ru has IPv6 address 64:ff9b::c257:32
www.ru mail is handled by 5 hq.demos.ru.

$ host 194.87.0.50
50.0.87.194.in-addr.arpa domain name pointer www.ru.

$ host 64:ff9b::c257:32
2.3.0.0.7.5.2.c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa is an alias for 50.0.87.194.in-addr.arpa. 50.0.87.194.in-addr.arpa domain name pointer www.ru.


Untuk memberikan IPv4 hosts access ke layanan di IPv6-olny network? Kita perlu mengkonfigurasi NAT44 ke sebuah address dari tayga dynamic pool:

# /etc/config/firewall
# rule for tayga to create static mapping
config 'nat64'
        option 'ipv4_addr' '192.0.2.32'
        option 'ipv6_addr' '2001:470:1f09::xxxx::yyyy:zzzz'

# rule for OpenWRT firewall to redirect traffic on port 25
config 'redirect'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'src_dport' '25'
        option 'dest_ip' '192.0.2.32'
        option 'target' 'DNAT'
        option 'dest' 'lan'

# rule OpenWRT firewall to permit access to port 25 to LAN host
config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option 'dest' 'lan'
        option 'proto' 'tcp'
        option 'dest_ip' '2001:470:1f09:xxxx::yyyy:zzzz'
        option 'dest_port' '25'
        option 'family' 'ipv6'


Last rule is only needed to provide access to my SMTP service via native IPv6. Since nat64 interface belongs to lan firewall zone there's no need to premit traffic from 64:ff9b::/64, it is already done by permitting traffic to 192.0.2.32 (processed by redirect rule).

An now we can see some dirty spammers in maillog:

Feb 17 12:23:31 hell postfix/smtpd[12288]: connect from 114-42-157-193.dynamic.hinet.net[64:ff9b::722a:9dc1]
Feb 17 12:23:31 hell postfix/smtpd[12288]: warning: non-SMTP command from 114-42-157-193.dynamic.hinet.net[64:ff9b::722a:9dc1]: GET http://www.scanproxy.com:80/p-25.html HTTP/1.0








Referensi